5/9/19 (two quotes arrive from Bishop Fox)

Bishop Fox explains that they are attempting to get approval from Google to satisfy one portion of the requirements via a “Self Assessment Questionnaire” rather than a full deployment review, and policy and procedure review. Of course, I welcome the simpler approach, and I’m waiting to see if this approach is approved.

5/3/19 (later that day)

Bishop Fox acknowledges receipt of the scoping survey.

5/3/19 (I respond to Bishop Fox’s scoping survey)

It took a while to fill out, because of the detailed questions in it.

5/2/19 (Proposal arrives from Leviathan)

I’m impressed with the speed at which Leviathan handles communication. It was just 15 minutes before I got a response to my initial inquiry, and I have a proposal the very next day after our phone call. I’ve been asked not to disclose pricing information, so out of respect for Leviathan, I won’t mention that here.

5/1/19 (Call with Leviathan and follow-up)

I have a short phone call with a rep from Leviathan, where I describe the nature of GMass, its public facing interfaces, and a little about its underlying architecture. Given that GMass does not have an API and is only usable as a Chrome extension, the rep indicates that this will be one of their simpler security assessments and would require 2-3 days of work. After the call, he sends me some information to verify and an NDA, which I send back the next morning.

4/29/19 (several hours later)

Bishop Fox responds within several hours of my email.

4/29/19 (15 minutes later)

Leviathan responds within 15 minutes of my email. We eventually schedule a phone call for mid-next week.

4/29/19 (later in the day)

I reach out to both of the security firms, Leviathan Security and Bishop Fox, that have been approved to conduct the security assessment.

4/29/19 (earlier in the day)

Google denies my request to skip the security assessment.

4/22/19

I respond to the notice asking if I can skip the security assessment if I reduce the Gmail API scopes I’m using for GMass.

4/20/19

I receive a notice from Google that the fun is only now beginning (proceed with security assessment).

4/1/19

(April Fool’s Day — maybe they’ll let me know this has all been a joke?)
I’m told I’m in the final stages of verification.

3/31/19

I respond with my agreement.

3/26/19

Google emails asking me to confirm my agreement with a statement.

3/23/19

I responded with another video.

3/21/19 (a few hours later)

I received an additional request deeming the first video as insufficient.

3/21/19

I receive this request from Google for an additional video.

3/18/19

I respond, letting Google know I’ve made the branding changes they suggested.

3/15/19

After Google presumably watches my video, they respond, asking them to conform to their branding guidelines.
3/9/19
I respond with the requested YouTube video.

3/6/19

Google responds with their request for a YouTube video.
2/15/19
I responded to the ambiguous request from Google.

2/15/19

Received this email with no project ID listed, and given that I manage multiple apps built for Gmail, I didn’t know if this pertained to GMass or not.

2/9/19

I respond to Google’s request for the scope explanation.

2/7/19

Email received from Google asking for an explanation of the need for the full mail.google.com scope

Hi Ajay & team, came across GMass. Looking for information on data security. Per this blog it seems like you are still working through being approved for Google’s new security requirements. If yes, do I need to wait before I use Gmass as there may be a threat to my gmail data if I connect to GMass today?